|
|
|
Vulnerability Note VU#878044
SNMPv3 improper HMAC validation allows authentication bypass
OverviewA vulnerability in the way implementations of SNMPv3 handle specially crafted packets may allow authentication bypass.
I. DescriptionSNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte.
This issue is known to affect Net-SNMP and UCD-SNMP. Other SNMP implementations may also be affected.
II. ImpactThis vulnerability allows attackers to read and modify any SNMP object that can be accessed by the impersonated user. Attackers exploiting this vulnerability can view and modify the configuration of these devices.
III. Solution
Upgrade
This vulnerability is addressed in Net-SNMP versions 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1 and UCD-SNMP 4.2.7.1. Please see the Net-SNMP download page.
Alternatively, consult your vendor. See the Systems Affected section below for more information.
Apply a patch
Net-SNMP has released a patch to address this issue. For more information refer to SECURITY RELEASE: Multple Net-SNMP Versions Released. Users are encouraged to apply the patch as soon as possible. Note that patch should apply cleanly to UCD-snmp too.
Enable the SNMPv3 privacy subsystem
The configuration should be modified to enable the SNMPv3 privacy subsystem to encrypt the SNMPv3 traffic using a secret, private key. This option does not encrypt the HMAC, but does minimize the possible affects from this vulnerability.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| 3com, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| ACCESS | Unknown | 2008-06-02 | 2008-06-02 |
| AdventNet Inc. | Not Vulnerable | 2008-06-13 | 2008-06-18 |
| Alcatel | Unknown | 2008-05-20 | 2008-05-20 |
| Apple Computer, Inc. | Unknown | 2008-06-02 | 2008-06-02 |
| Aruba Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Asante Technologies, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Atheros Communications, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| AT&T | Unknown | 2008-05-20 | 2008-05-20 |
| Avaya, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Avici Systems, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| BEA Systems, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Borderware Technologies | Unknown | 2008-05-20 | 2008-05-20 |
| Bro | Unknown | 2008-05-20 | 2008-05-20 |
| Broadcom | Unknown | 2008-06-13 | 2008-06-13 |
| Charlotte's Web Networks | Unknown | 2008-05-20 | 2008-05-20 |
| Check Point Software Technologies | Unknown | 2008-05-20 | 2008-05-20 |
| Cisco Systems, Inc. | Unknown | 2008-05-20 | 2008-06-13 |
| Clavister | Unknown | 2008-05-20 | 2008-05-20 |
| Computer Associates | Not Vulnerable | 2008-05-20 | 2008-06-20 |
| Computer Associates eTrust Security Management | Not Vulnerable | 2008-05-20 | 2008-06-20 |
| Conectiva Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Cosinecom | Unknown | 2008-06-13 | 2008-06-13 |
| Covalent Technologies | Unknown | 2008-06-13 | 2008-06-13 |
| cPanel Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Cray Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Cyclades, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| D-Link Systems, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Data Connection, Ltd. | Unknown | 2008-05-20 | 2008-05-20 |
| Debian GNU/Linux | Unknown | 2008-05-20 | 2008-05-20 |
| eCosCentric | Vulnerable | | 2008-06-13 |
| EMC Corporation | Unknown | 2008-05-20 | 2008-05-20 |
| Engarde Secure Linux | Unknown | 2008-05-20 | 2008-05-20 |
| Enterasys Networks | Unknown | 2008-05-20 | 2008-05-20 |
| Ericsson | Unknown | 2008-05-20 | 2008-05-20 |
| eSoft, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Extreme Networks | Vulnerable | 2008-05-20 | 2009-04-22 |
| F5 Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Fedora Project | Unknown | 2008-05-20 | 2008-05-20 |
| Force10 Networks, Inc. | Not Vulnerable | 2008-05-20 | 2008-06-12 |
| Fortinet, Inc. | Not Vulnerable | 2008-05-20 | 2008-05-27 |
| Foundry Networks, Inc. | Not Vulnerable | 2008-05-20 | 2008-06-17 |
| FreeBSD, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Fujitsu | Unknown | 2008-05-20 | 2008-05-20 |
| Funkwerk Enterprise Communications | Not Vulnerable | | 2008-06-18 |
| Gentoo Linux | Unknown | 2008-06-04 | 2008-06-04 |
| Global Technology Associates | Vulnerable | 2008-05-20 | 2009-07-16 |
| Harris Corporation | Unknown | 2008-06-13 | 2008-06-13 |
| Hewlett-Packard Company | Unknown | 2008-05-20 | 2008-05-20 |
| Hitachi | Unknown | 2008-05-20 | 2008-05-20 |
| Hyperchip | Unknown | 2008-05-20 | 2008-05-20 |
| IBM Corporation | Not Vulnerable | 2008-05-20 | 2008-06-18 |
| IBM Corporation (zseries) | Unknown | 2008-05-20 | 2008-05-20 |
| IBM eServer | Unknown | 2008-05-20 | 2008-05-20 |
| Ingrian Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Inktomi Corporation (now Yahoo!) | Unknown | 2008-06-13 | 2008-06-13 |
| Intel Corporation | Not Vulnerable | 2008-05-20 | 2008-05-21 |
| Internet Initiative Japan | Vulnerable | | 2008-06-19 |
| Internet Security Systems, Inc. | Not Vulnerable | 2008-05-20 | 2008-06-04 |
| Intoto | Unknown | 2008-05-20 | 2008-05-20 |
| IP Filter | Unknown | 2008-05-20 | 2008-05-20 |
| IP Infusion, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Juniper Networks, Inc. | Vulnerable | 2008-05-20 | 2008-06-09 |
| Lantronix | Unknown | 2008-06-13 | 2008-06-13 |
| Linux Kernel Archives | Unknown | 2008-05-20 | 2008-05-20 |
| Lotus Software | Unknown | 2008-06-13 | 2008-06-13 |
| Lucent Technologies | Unknown | 2008-05-20 | 2008-05-20 |
| Luminous Networks | Unknown | 2008-05-20 | 2008-05-20 |
| m0n0wall | Unknown | 2008-05-20 | 2008-05-20 |
| Mandriva, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Marconi, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| McAfee | Unknown | 2008-05-20 | 2008-05-20 |
| MetaSwitch | Unknown | 2008-06-13 | 2008-06-13 |
| Metrobility, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Microsoft Corporation | Not Vulnerable | 2008-05-20 | 2008-05-28 |
| MontaVista Software, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Motion Media Technologies, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Multinet (owned Process Software Corporation) | Unknown | 2008-05-20 | 2008-05-20 |
| Multitech, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| NEC Corporation | Unknown | 2008-05-20 | 2008-05-20 |
| Net-Policy | Unknown | | 2008-06-13 |
| NetBSD | Unknown | 2008-05-20 | 2008-05-20 |
| netfilter | Unknown | 2008-05-20 | 2008-05-20 |
| Netgear, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Netscape Communications Corporation | Unknown | 2008-06-13 | 2008-06-13 |
| netsnmp | Vulnerable | 2008-05-16 | 2008-06-10 |
| netsnmpj | Unknown | | 2008-06-13 |
| Network Appliance, Inc. | Vulnerable | 2008-05-20 | 2008-06-04 |
| NextHop Technologies, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Nokia | Unknown | 20-May-2008 |
| Nortel Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Novell, Inc. | Not Vulnerable | 2008-05-20 | 2008-06-04 |
| OpenBSD | Unknown | 2008-05-20 | 2008-05-20 |
| openSNMP | Unknown | | 2008-06-13 |
| Openwall GNU/*/Linux | Unknown | 2008-05-20 | 2008-05-20 |
| Oracle Corporation | Unknown | 2008-06-13 | 2008-06-13 |
| Polycom | Unknown | 2008-06-13 | 2008-06-13 |
| QNX, Software Systems, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Quagga | Unknown | 2008-05-20 | 2008-05-20 |
| QUALCOMM Incorporated | Unknown | 2008-06-13 | 2008-06-13 |
| Rad Vision, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Red Hat, Inc. | Vulnerable | 2008-05-20 | 2008-06-06 |
| Redback Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Riverstone Networks, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Secure Computing Network Security Division | Unknown | 2008-05-20 | 2008-05-20 |
| Secureworx, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Silicon Graphics, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Slackware Linux Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| SmoothWall | Unknown | 2008-05-20 | 2008-05-20 |
| SNMP Research | Vulnerable | | 2008-06-06 |
| Snort | Unknown | 2008-05-20 | 2008-05-20 |
| Soapstone Networks | Unknown | 2008-06-02 | 2008-06-02 |
| Sony Corporation | Unknown | 2008-05-20 | 2008-05-20 |
| Sourcefire | Unknown | 2008-05-20 | 2008-05-20 |
| Stonesoft | Not Vulnerable | 2008-05-20 | 2008-06-23 |
| Sun Microsystems, Inc. | Vulnerable | 2008-05-20 | 2008-06-16 |
| SUSE Linux | Unknown | 2008-05-20 | 2008-05-20 |
| Symantec, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| The SCO Group | Unknown | 2008-05-20 | 2008-05-20 |
| The Teamware Group | Unknown | 2008-06-13 | 2008-06-13 |
| TippingPoint, Technologies, Inc. | Not Vulnerable | 2008-05-20 | 2008-05-21 |
| Trustix Secure Linux | Unknown | 2008-05-20 | 2008-05-20 |
| Turbolinux | Unknown | 2008-05-20 | 2008-05-20 |
| Ubuntu | Unknown | 2008-05-20 | 2008-05-20 |
| Vertical Networks, Inc. | Unknown | 2008-06-13 | 2008-06-13 |
| Watchguard Technologies, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| Wind River Systems, Inc. | Unknown | 2008-05-20 | 2008-05-20 |
| ZyXEL | Unknown | 2008-05-20 | 2008-05-20 |
References
http://sourceforge.net/forum/forum.php?forum_id=833770
http://www.ocert.org/advisories/ocert-2008-006.html
http://secunia.com/advisories/30574/
http://secunia.com/advisories/30665/
http://sunsolve.sun.com/search/document.do?assetkey=1-66-238865-1
Credit
This issue was reported by Wes Hardaker at Net-SNMP. Thanks also to Jeff Case of SNMP Research and oCERT.
This document was written by Chris Taschner and David Warren.
Other Information
| Date Public | 05/31/2008 |
| Date First Published | 06/10/2008 09:59:27 AM |
| Date Last Updated | 07/16/2009 |
| CERT Advisory | |
| CVE Name | CVE-2008-0960 |
| Metric | 7.56 |
| Document Revision | 36 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
